What Is A Memcached DDoS Attack?

Over the past month, the power of DDoS attacks has risen hugely, with previously unthought of bandwidth bringing down online services. One such service was GitHub, the development platform that allows for simple and easy collaboration on projects.

Record Breakers

Back on the 1st of March 2018, GitHub was hit with the largest and most devastating DDoS attack of all time. GitHub was hit with a whopping 1.35Tbps worth of bandwidth. The previous record stood at just 650Gbps, signalling a change in method for conveyors of DDoS attacks.

Just four days after the 1.35Tbps DDoS attack, an undisclosed company was hit with another record-breaking attack. This time their servers were hit with 1.7Tbps of bandwidth, smashing the record set just days before.

This left everyone wondering how exactly the attackers managed to thoroughly destroy that previous 650Gbps record.

Enter Vulnerable Memcached Servers

Memcached servers have become a valuable asset in the last ten or so years. They allow for applications that need access to a lot of data stored externally fast access. Many companies use Memcached servers to increase page load times or deal with high demand.

Memcached servers are usually disconnected completely from the public internet and kept for internal use. It turns out that many of these servers were not configured correctly, allowing attackers to take advantage of them.

Open Udp Ports Left Servers Wide Open

UDP (User Datagram Protocol) is a protocol that allows for two clients to interact with each other. TCP is another protocol that offers the same ability.

UDP is often used for applications that require the most amount of speed because, unlike TCP, it doesn’t require acknowledgement from the receiving party before it can send packets. UDP wasn’t actually meant to be used in Memcached servers, Facebook in 2008 added that capability under the assumption the servers would be kept for internal use only.

Of course, this wasn’t the case, a huge number of Memcached servers currently operate using UDP and are left wide open to attack.

Udp Crackdown

Shortly after the huge DDoS attacks, the Memcached open-source project released a new version that completely locked down the UDP port. According to Cloudflare, there are thousands of Memcached servers that are currently operating with unprotected UDP ports. This means it could be a while before these servers are updated to get rid of the UDP vulnerability.

The Attacks Will Continue For The Foreseeable Future

If Cloudflare’s estimates of thousands of unprotected UDP Memcached servers is true, it will take a very long time before enough of these servers are patched to remove this threat. This means that attackers will continue to throw these huge amounts of bandwidth at online services.

Often times, these sorts of attacks exist as a status symbol, to try and break records. Until enough of these servers are patched, we will continue to see attackers trying to one-up one another until the threat is neutralised.

This, of course, may not ever come about. There could be enough servers out there with admins completely unaware of this vulnerability. Meaning that attackers will continue to have Memcached servers to launch attacks from.

Memcached DDoS Protection

Whilst this sort of DDoS bandwidth was previously unthought of, companies will now have to protect themselves from the very real threat of huge DDoS attacks. Current DDoS countermeasures may not suffice for much longer. One thing is for sure, Memcached DDoS attacks will radically change the way network security industry.